Cockpit is a Linux session.
Normally when you connect from one login session to a second one, the
second login session does not access to the first ... although the does
not hold.
For example if you SSH into machineA ... and then from machineA SSH into
machineB ... it is assumed (and typically the case) that the login
session on machineB does not have access to the login session on machineA.
In Cockpit this has not been the case. When you start a Cockpit login
session on machineA ... and then in Cockpit on machineA you add machineB
as a second server. The Cockpit login session tasks/code for each of
those have equal access to one another via the browser.
I worked with Muelli over the weekend to try and fix this and here's a
basic pull request:
https://github.com/cockpit-project/cockpit/pull/6260
We can ask the browser to apply the Same Origin policy and keep the
sessions sandboxed. There's several places where some follow up work is
needed, as seen by the dependencies of that pull request.
But also it's impossible to use window.localStorage from such a browser
sandbox. So if we put this in, we would likely need to implement a new
window.localStorage that uses window.postMessage with "hint" messages to
store/retrieve contents.
Once this is done, we can enforce the separation of concerns between
stuff running from different machines and start to mirror this assumed
behavior of Linux login sessions.
Cheers,
Stef